Bugtraq mailing list archives
Re: undocumented bugs - nfsd
From: okir () MONAD SWB DE (Olaf Kirch)
Date: Wed, 10 Nov 1999 10:54:31 +0100
On Tue, Nov 09, 1999 at 11:39:39AM +0100, Mariusz Marcinkiewicz wrote:
After reading lcamtuf's posts I decided write this one. Few months ago one of my friends - digit - found bug in linux nfsd daemon. I made example sploit about IV 1999. Now in distributions is new nfsd and nowhere was information about security weaknes of old version!
Well, one gets used to people posting to bugtraq without bothering to send any mail whatsoever to the maintainer of a free software package. But whining about the bug not having been fixed without even sending a bug report *anywhere* kind of beats everything I've seen so far. Am I now supposed to follow alt.support.p30ple.with.sp311ing.pr0blemz? FWIW, the source distribution of unfsd contains a file called BUGS which even the attention span challenged have a hard time overlooking. This file contains fairly detailed instructions on how to submit a bug report. Concerning the problem Mariusz has been handwaving about, this is a serious issue. It's got nothing to do with realpath(), however. The true cause of the problem is that the code relies on the total length of a path to not exceed PATH_MAX + NAME_MAX. I'm not sure whether this is a common Unix problem, but at least on Linux, PATH_MAX merely seems to put an upper limit on the length of a single path you can hand to a syscall (size of a page - 1, i.e. 4095). However it still allows you to create files within that directory as long as you use relative names only... As to the impact of the problem, it's nasty, but you will need to have a directory exported read/write to you in order to exploit it (or you're able to impersonate a host with this kind of access). Appended you'll find a patch against 2.2beta46 that rectifies this problem. The full source for 2.2beta47 can be found at ftp://mathematik.tu-darmstadt.de/pub/linux/people/okir Another version (2.2.48) that has some additional, non-security related fixes I have been working on can be found in the dontuse subdirectory. Olaf -----BEGIN PGP SIGNED MESSAGE----- 79a29fe9f79b2f3241d4915767b8c511 nfs-server-2.2beta47.tar.gz c2ef6e37064ca7d9e52de7b711a7ebec patch-2.2.47.gz -----BEGIN PGP SIGNATURE----- iQCVAwUBOClCC+FnVHXv40etAQGRvwP/czA9uZ3EYthdO01h9E98tOmKgJ+rkJ9q tBQwrs452a+A3xv6t1/V4rT6Q5BTPnzVkxyAIjiXwhSYbUbBS7C/yCqYfi/fzb2i 6lCYqdBxjxE9hX5PuYR983egHNOnA4dTlSgjhP13bSaNKifF1XwD1IYgGuo1ZoGp eDNa0+cFGG8= =dHTh -----END PGP SIGNATURE----- -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers. <!-- attachment="patch-2.2.47.gz" --> <HR> <UL> <LI>application/octet-stream attachment: patch-2.2.47.gz </UL>
Current thread:
- Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 08)
- Irfan view 3.07 buffer overflow UNYUN (Nov 08)
- Re: Security flaw in Cobalt RaQ2 cgiwrap Nathan Neulinger (Nov 08)
- Re: Security flaw in Cobalt RaQ2 cgiwrap Chris Adams (Nov 09)
- undocumented bugs - nfsd Mariusz Marcinkiewicz (Nov 09)
- Re: undocumented bugs - nfsd Olaf Kirch (Nov 10)
- rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 10)
- Re: rpc.nfsd exploit code Crispin Cowan (Nov 11)
- WU-FTPD Mnemonix (Nov 11)
- Re: WU-FTPD hayward () SLOTHMUD ORG (Nov 12)
- Re: rpc.nfsd exploit code Mariusz Marcinkiewicz (Nov 12)
- Re: rpc.nfsd exploit code Rogier Wolff (Nov 12)
- Re: undocumented bugs - nfsd Olaf Kirch (Nov 10)
- BIND NXT Bug Vulnerability Elias Levy (Nov 10)
- Re: BIND NXT Bug Vulnerability Richard Trott (Nov 10)
- Re: BIND NXT Bug Vulnerability Mike Iglesias (Nov 10)
- [RHSA-1999:053-01] new NFS server pacakges available (5.2, 4.2) Bill Nottingham (Nov 10)